57 lines
1.6 KiB
Markdown
57 lines
1.6 KiB
Markdown
# Supplier Assurance Guidance
|
|
|
|
## Purpose
|
|
|
|
This guidance note helps supplier owners and reviewers apply the supplier security documents in a proportionate way.
|
|
|
|
## Focus On Material Suppliers
|
|
|
|
Not every supplier needs the same depth of review. More attention should be given to suppliers that:
|
|
|
|
- host or process important BlackDice data
|
|
- support production service delivery
|
|
- have privileged access
|
|
- affect resilience or customer commitments
|
|
- operate as subprocessors or critical dependencies
|
|
|
|
## Questions To Ask During Review
|
|
|
|
Useful supplier review questions often include:
|
|
|
|
- what service is actually being provided
|
|
- what information is handled
|
|
- what access is granted
|
|
- what happens if the supplier fails
|
|
- what evidence exists for security and resilience
|
|
- what notification obligations apply
|
|
|
|
## Shared Responsibility
|
|
|
|
For cloud and managed platforms, supplier review should not stop at "provider is certified". The practical question is which controls remain with BlackDice and which are delivered by the supplier.
|
|
|
|
That matters most for:
|
|
|
|
- identity and access
|
|
- configuration
|
|
- logging
|
|
- backup and recovery
|
|
- incident handling
|
|
- data location and retention
|
|
|
|
## When To Reassess
|
|
|
|
Reassessment should be triggered when:
|
|
|
|
- the supplier's role expands
|
|
- the deployment model changes
|
|
- a major incident occurs
|
|
- assurance evidence becomes stale
|
|
- customer or regulatory expectations change
|
|
|
|
## Related Documents
|
|
|
|
- `../../01-policies/supplier-security-policy.md`
|
|
- `../../02-standards/supplier-due-diligence-standard.md`
|
|
- `../../03-procedures/supplier-onboarding-and-review-procedure.md`
|
|
- `../../04-registers/supplier-register-template.md`
|